Artificial Intelligence (AI) is a transformative technology that has prompted governments worldwide to establish guidelines for its safe and responsible use. A key player in this space is COBIT (Control Objectives for Information and Related Technologies), a framework created by ISACA for information technology (IT) management and IT governance. This post provides a brief history of COBIT's involvement in AI, its key responsibilities and activities, the current status, upcoming activities, and its interplay with related standards, including NIST.
What is COBIT?
COBIT is a framework that defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures, and an elementary maturity model. It is business-focused and aims to ensure that IT systems are safe and respect fundamental rights and values.
A Brief History of COBIT in AI
COBIT was initially released by ISACA in 1996, originally as a set of control objectives to help the financial audit community better maneuver in IT-related environments. Seeing value in expanding the framework beyond just the auditing realm, ISACA released a broader version in 1998 and added management guidelines in 2000's version.
Current Activities of COBIT in AI
COBIT has been actively involved in AI, contributing to the research, standards, and data required to realize the full promise of AI as a tool that will enable American innovation, enhance economic security, and improve our quality of life. Much of COBIT's work focuses on cultivating trust in the design, development, use, and governance of AI technologies and systems. For example, COBIT has proposed an I&T governance framework for AI based on a suggested COBIT 2019 expansion.
Upcoming Activities of COBIT in AI
While specific upcoming activities of COBIT in the AI space are not explicitly mentioned in the sources, it is clear that COBIT continues to evolve and adapt to the changing landscape of AI. It is expected that COBIT will continue to expand its framework to include more comprehensive controls regarding AI, specifically AI applications utilized for various purposes.
Interplay with NIST
COBIT and NIST have a symbiotic relationship where COBIT refers to the appropriate NIST publications at the process level, and NIST refers to COBIT practices as informative references. This allows for better mapping, reduced duplication, and a broader view of a cybersecurity program as a part of an overall governance of enterprise IT (GEIT) initiative.
Here are some of the key upcoming impacts on AI by COBIT:
AI in Marketing: COBIT has proposed an I&T governance framework for AI based on a suggested COBIT 2019 expansion. This framework provides essential, effective, and efficient controls regarding AI, specifically, AI applications utilized for marketing purposes.
Risk Management: COBIT is focusing on risk management in AI. The third line of defense (internal audit groups) can leverage the COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019 (COBIT IRFA) publication as a tool to assess the completeness and accuracy of an organization’s technology and security risk activities.
How COBIT Drives the Need for AI Audit Services
COBIT's emphasis on the alignment of IT goals with overall business objectives, effective risk management, and the establishment of a robust control environment underscores the importance of AI audits. AI audits will play a crucial role in ensuring that AI systems comply with COBIT's requirements. They will help identify and mitigate risks, ensure data privacy and security, and promote fairness and transparency. As such, businesses that develop or use AI systems should consider implementing robust AI audit mechanisms to ensure compliance with COBIT.